VMworld 2016: VMware Promises Unified Approach to Windows 10 Endpoint Security

VMware is taking a comprehensive approach to providing endpoint security for devices running Microsoft’s Windows 10 platform, and argues that its approach can help businesses save thousands of dollars per device on endpoint security.

During the second day of the VMworld 2016 conference in Las Vegas, VMware unveiled what it calls Unified Endpoint Management (UEM) for Windows 10, combining enterprise mobility management and traditional PC lifecycle management into a single solution. The UEM approach has three core elements, according to Sanjay Poonen, VMware’s executive vice president and general manager of end-user computing. Those elements include endpoint security, endpoint management and software lifecycle automation. [Explore all our live coverage from VMworld 2016 here.] 

As more businesses upgrade to Windows 10, they are gaining the security advantages inherent in the new platform but are also likely deploying more mobile devices, because Windows 10 is designed to run on notebooks, tablets, smartphones and many other devices. That makes businesses’ endpoint environments more complex and potentially more vulnerable. VMware thinks its UEM solution will not only lower the costs of providing endpoint security and managing endpoints, but also make it easier to do so.

A New Approach to Endpoint Security

During the keynote session, Poonen said that it costs on average $7,000 per year, per endpoint, to provide endpoint security. He said that figure not only includes endpoint security software but also the servers and labor needed to support those solutions. VMware thinks its approach can save companies between 15 and 30 percent on that $7,000 figure.

VMware’s solution embraces an identity-driven approach to securing devices, especially as companies move to cloud-based apps like Office 365. VMware argues that “legacy on-premises models for endpoint management are difficult with disjointed management and complex processes designed for fixed desktops and client-server applications,” according to a company statement.

The company’s UEM approach will extend “current Windows 10 management with PC lifecycle management capabilities, including configuration management and provisioning, software distribution, operating system (OS) patch management and client health and security management, to fundamentally change the endpoint management paradigm using a modern, mobile-cloud platform.”

This enables IT to deploy security patches and OS updates faster, install software more reliably and consolidate operational processes across all devices — on or off the domain. By integrating PC lifecycle management with modern enterprise mobility management, the VMware unified endpoint management technology can lower the cost of managing Windows deployments, secure endpoints and data on any network across any application, and deliver a high-quality, consistent experience to end users across any device.

Endpoint Security and Management

VMware announced Workspace ONE with VMware Identity Manager, a solution that it said will help businesses overcome the deployment and management challenges of Office 365. IT administrators will be able to automatically provision and deprovision end users based on existing Active Directory group membership, according to VMware. Further, when employees leave an organization, their access to cloud-based Office 365 resources is immediately revoked through entitlement management, whereas previously authentication tokens could be valid for hours or days after separation.

With the security provided by Workspace ONE, Poonen said a user could try to copy data from a document they accessed in Office 365 to Twitter or another application that is not a managed application. Thanks to conditional access technology, the solution knows the data is not supposed to be copied and will block the user’s attempt to do so, he said.

Additionally, with VMware’s NSX solution (its network virtualization platform for the software-defined data center), companies can take conditional access “to a whole new level,” Poonen said. Businesses can segment certain parts of a virtualized data center so that users can access only certain pieces of data.

VMware is building on the partnership that it announced in June with enterprise security firm Tanium and the solution they developed called TrustPoint. Tanium CEO Orion Hindawi demonstrated TrustPoint, which gives companies quick visibility and control of every endpoint they have, and also offers threat detection and remediation, endpoint and application management, and automated Windows image migration and management.

IT administrators can use TrustPoint by asking questions in plain English — for example, to find every instance of the Mozilla Firefox browser running on users’ endpoints. That information is then delivered in seconds and can be scaled up to millions of devices, including’s PCs, notebooks, virtual machines and servers, Hindawi said.

“We can actually interact with the environment and start seeing what’s happening,” he said, adding, “Many of our customers don’t even know how many computers they have, much less what they’re doing right now.”

Trustpoint gives companies visibility into every app running on every device, and then lets businesses see if a device has been breached. They can quarantine that device and then drill down and do a forensic analysis to see if the problem has occurred on other devices. The solution gives admins real-time information of exactly what’s happening, and they can see every application on every device. Hindawi called it “a complete sea change in the way people are doing endpoint management … what would have taken days or weeks for many people, we’re compressing it down to seconds.”

“From a security standpoint, time is probably the most important criteria on whether you are going to succeed in blocking something or whether it’s going to take control of your environment,” he said.

Poonen said that Windows 10 offers companies “a much lighter weight way of being able to manage endpoints than ever existed before.”

TrustPoint will be the key part of the endpoint security VMware will deliver, Poonen said, and endpoint management will be run through VMware’s AirWatch platform.

“When we combine those together, we think we can do this at a fraction of the cost,” Poonen said during a news conference. “It will stretch for both midmarket and large companies.”